When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the logging.privateLogEntries.list IAM permission, which allowed the build to have access to list private logs by default. This permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege.
Summary (give a brief description of the issue)
When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the logging.privateLogEntries.list IAM permission, which allowed the build to have access to list private logs by default. This permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege.
References (provide links to blogposts, etc.)
https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/ https://cloud.google.com/build/docs/security-bulletins#gcp-2023-013